[olug] Shell accounts? [OT?]
jason.troy at gmail.com
Sun Oct 1 08:19:30 CDT 2017
Several options exist ... I'm a fan of blocking proxies too unless you are
using one. Country based blocks are only part of the picture.
The data here is not perfect but its a good start.
On Sep 27, 2017 1:57 PM, "Kevin" <sharpestmarble at gmail.com> wrote:
You could also make the list shorter but much less readable and
maintainable by taking advantage of CIDR VLSM:
On Wed, Sep 27, 2017 at 11:26 AM, Lou Duchez <lou at paprikash.com> wrote:
> In case anyone's interested, I came across this list of international IP
> addresses some time ago; I can't confirm its accuracy or completeness, but
> thus far it hasn't caused me any problems (that I know of). In my
> firewalls I typically block all IPs in these ranges except for email and
> Web access; I spend so little time hiking through the Balkans, I feel
> pretty safe blocking all SSH connections from Sarajevo.
> N Filename iptables.rules
> N Russia .ru
> N RIPE.NET (Europe, the Middle East and parts of Central Asia)
> N APNIC (Asian Pacific Network Information Center)
> N End APNIC Addresses
> N LACNIC (Latin American and Caribbean Network Information Center)
> N End LACNIC
> N Add .EU here?
> N duesentrieb.kunst.uni-frankfurt.de
> N end .EU
> ipset to efficiently and easily whitelist / blacklist large sets of IP
>> addresses such as from an entire country.
>> On Tue, Sep 26, 2017 at 11:26 PM, aric at omahax.com <aric at omahax.com>
>> Thanks, that is a cool feature of iptables that I didn't know about.
>>> I first read the port knocking suggestion on this thread I thought about
>>> the Dr. Strangelove doomsday machine. You could trigger events from a
>>> knock. ....and then this Rick and Morty scene
>>> There several ways to block SSH attempts. I use pfSense to forward a
>>> standard port, ban the IP after 5 failed attempts and ban IPs that port
>>> scan. The iptables way you suggested looks to be the simplest.
>>> ------ Original message------From: Christopher CashellDate: Tue, Sep 26,
>>> 2017 10:53 PMTo: Omaha Linux User Group;Cc: Subject:Re: [olug] Shell
>>> accounts? [OT?]
>>> On Thu, Sep 14, 2017 at 9:40 AM, Ben Hollingsworth wrote:
>>> The biggest bummer, nostalgia aside, is SSH access. In order to keep
>>>> log file noise to a minimum, my home firewall restricts which IP blocks
>>>> allowed to SSH into my home computer. On the rare occasion when I need
>>>> SSH in from an unapproved network, I was always able to SSH into falcon
>>>> first, then jump from there to my home machine. That route is no
>>>> option, so I'll probably have to open up the firewall again. Or maybe
>>>> can just paint with a bigger brush & block foreign IP's using that list
>>>> that somebody posted recently.
>>>> Someone mentioned port-knocking, which can be a handy solution for
>>> Another option that can significantly reduce the log noise is to use
>>> iptables to minimize or prevent brute-force SSH attacks.
>>> Replace the iptables rule on your box that is allowing TCP port 22 with
>>> iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m
>>> hashlimit --hashlimit-mode srcip --hashlimit-upto 1/min
>>> --hashlimit-burst 4
>>> --hashlimit-name ssh -j ACCEPT
>>> That will limit new TCP connection attempts to a rate of 1 per minute,
>>> a burst of 4 allowed per source IP. Basically, anyone who makes
>>> ssh attempts to quickly will automatically have their connection
>>> dropped. The most attempts they make, the longer they get blocked. The
>>> best thing about it is that it requires no maintenance or external
>>> applications (like fail2ban), and is very "fire and forget" for low
>>> connection rate protocols like SSH.
>>> One other handy option, you can keep SSH blocked from the outside, and
>>> something like OpenVPN to connect remotely. Then, after establishing a
>>> session to your computer externally, you can SSH across the VPN to not
>>> expose SSH publicly. This can also give you some additional access
>>> benefits to your system.
>>> For the ultimate in remote shell flexibility, I'll echo another
>>> that was thrown out, too: Linode. I've been using Linode.com for 10
>>> now, and I can't recommend them enough. They're Virtual Private Server
>>> (VPS) hosting by geeks/engineers for geeks/engineers.
>>>> *Ben "Obi-Wan" Hollingsworth* obiwan at jedi.com
>>> OLUG mailing list
>>> OLUG at olug.org
>>> OLUG mailing list
>>> OLUG at olug.org
>> OLUG mailing list
>> OLUG at olug.org
> OLUG mailing list
> OLUG at olug.org
OLUG mailing list
OLUG at olug.org
More information about the OLUG